This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access IPSEC - tunnel connects but unable to access any devices

Aaron Berger 3 months ago

I have configured Remote Access VPN - IPSEC and I am able to establish a connection via the Sophos Connect app.

However, I am unable to talk to any LAN devices connected to the Sophos XG 125W.

Here are my configuration settings:

1. Remote Client connecting via Sophos Connect app

- Local subnet: 192.168.5.X/24

- OS: Win11 (fully up to date, no 3rd party AV or firewall in place)

2. Sophos XG 125W Network

- OS: SFOS 20.0.1 MR-1-Build342
- Sophos XG 125W IP: 192.169.0.253

- Local Network - 192.168.0.X/24

- DNS Server IP (Windows Server Standard 2022): 192.168.0.10

- Sophos IPSEC Config:

VPN Firewall Rule

Device Access ACL

This thread was automatically locked due to age.

Top Replies

Mayur Makvana 3 months ago in reply to Aaron Berger +2 verified

Hello Aaron, Thank you for your time over chat. We found that the traffic was getting dropped under the IP Spoof. While reviewing, we could see that the SSL VPN is also having the same lease range…

Parents

0 Mayur Makvana 3 months ago

Hello,

Thank you for sharing the detailed information.

Please check whether the route added to the windows or not by running below command from windows CLI.

C:\>route print

If you can point that the route of 19.168.0.X added, follow below KBA:

community.sophos.com/.../sophos-firewall-how-to-identify-the-communication-issue-with-up-and-running-ipsec-tunnel

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger 3 months ago in reply to Mayur Makvana

Hey Mayur Makvana

This is my route print from the Windows client machine running Sophos connect:

Hmm strange, I don't recognise gateway: 169.254.128.128
(Remote client gateway is 192.168.5.1) (Sophos XG is the gateway at the other end which is 192.168.0.253)
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayur Makvana 3 months ago in reply to Aaron Berger

Hello,

This looks fine, can you please collect the tcpdump and drops simultaneously while pinging to the local LAN?

console> tcpdump ' host internalIP and proto ICMP

console>drop-packet-capture ' host internalIP and proto ICMP

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Mayur Makvana 3 months ago in reply to Aaron Berger

Hello,

This looks fine, can you please collect the tcpdump and drops simultaneously while pinging to the local LAN?

console> tcpdump ' host internalIP and proto ICMP

console>drop-packet-capture ' host internalIP and proto ICMP

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Aaron Berger 3 months ago in reply to Mayur Makvana

From CLI I ran: tcpdump ' host internalIP and proto ICMP

And get this:

However, when I run: drop-packet-capture 'host internalIP and proto ICMP'

I get command not found
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayur Makvana 3 months ago in reply to Aaron Berger

Hello,

I could see that the traffic reached to the firewall. It may have dropped or forwarded.

Can you please DM with the Sophos Access ID?

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Mayur Makvana 3 months ago in reply to Aaron Berger

Hello Aaron,

Thank you for your time over chat.

We found that the traffic was getting dropped under the IP Spoof. While reviewing, we could see that the SSL VPN is also having the same lease range configured. We suggested changing the lease range for the SSL VPN or an IPSec to get the things working.

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Cancel